search

ossec / ossec-hids

OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.
http://www.ossec.net
Other
4.42k stars 1.04k forks source link

PCRE2 regexp matching not working properly #1845

Open BernaldoPenasAntelo opened 4 years ago

BernaldoPenasAntelo commented 4 years ago

Following the docs, with the newest version of ossec running, i'm triying to create a custom rule with this expresion

(.*\.){7,}

I'm following the pcre2 syntax, but no matchings when i run my tests (i have used diferent online regexp engines and verify that the regexp it's correct and may verify my tests)

To test it i use the binary ossec-regex and get:

~# /var/ossec/bin/ossec-regex '(.*\.){7,}'
mi.de.que.me.dice.sel.que.de.es.gob.mu

It give me no results, nothing happens.

I have tested that the binnary works 

~# /var/ossec/bin/ossec-regex '^a'
antonio
+OSRegex_Execute: antonio
+OS_Regex       : antonio
+OSMatch_Compile: antonio
+OS_Match2      : antonio

What i'm doing wrong, any help will be useful.

Thanks in advance.

Avamander commented 4 years ago

OSSEC's regex isn't a full PCRE implementation.

BernaldoPenasAntelo commented 4 years ago

Well ... knowing that ... do i have any options to know exactly whats implemented ... or i have to test everithing in order to know if it's going to work. What i want to say is ... it's there any detailed documentation about how to use this implementation of the library and it's limitations?